[libvirt] problem with nwfilter and ip6tables

Reinier Schoof reinier at transip.nl
Mon Nov 21 13:46:28 UTC 2011 

Hi,

I'm investigating using the nwfilter-functionality of libvirt to give my 
clients the possibility to block ports of their VPSes. The same 
mechanism allows me to restrict the outgoing traffic a VPS is 
generating. In the end, I want to restrict MAC, IPv4 and IPv6 traffic, 
while the client can also restrict traffic to UDP and TCP.

All goes well, until I want to restrict the UDP/TCP traffic to certain 
IPv6 addresses. Where iptables shows the IPv4-restriction I've put up, 
ip6tables doesn't show anything. In the logs, I only see some ip6tables 
-D, -X and -F commands failing, which is expected when libvirt tries to 
delete/flush rules that were never there.

I've built my nwfilter containing the following IPv6-rules, which I for 
instance reference once for all the TCP-ports which should be open.

<!-- Allow established traffic -->
<filter name='ipv6-allow-statefull' chain='ipv6'>
   <rule action='accept' direction='in' priority='500'>
     <all state='ESTABLISHED'/>
   </rule>
   <rule action='accept' direction='out' priority='500'>
     <all state='ESTABLISHED,RELATED'/>
   </rule>
</filter>

<!-- Allow TCP in $PORT -->
<filter name='ipv6-allow-create-state-by-port' chain='ipv6'>
   <rule action='accept' direction='in' priority='500'>
     <tcp state='NEW' dstportstart='$PORT'/>
   </rule>
   <rule action='accept' direction='in' priority='500'>
     <udp state='NEW' dstportstart='$PORT'/>
   </rule>
</filter>

<!-- Allow IPv6 traffic from $RANGE -->
<filter name='ipv6-allow-create-state-by-range' chain='ipv6'>
   <rule action='accept' direction='out' priority='500'>
     <ipv6 srcipaddr='$RANGE' srcipmask='64'/>
   </rule>
</filter>

<!-- Drop all other IPv6 traffic -->
<filter name='ipv6-drop-stateless' chain='ipv6'>
   <rule action='drop' direction='inout' priority='999'>
     <all/>
   </rule>
</filter>

I use a similar approach for my IPv4 firewall, and it works perfectly. 
When I use these IPv6 rules, all IPv6 traffic is apparently dropped, but 
it's hard to debug when the result of this config is abscent in ip6tables.

I'm using these version of software on debian 6.0 squeeze:
virsh # version
Compiled against library: libvir 0.9.2
Using library: libvir 0.9.2
Using API: QEMU 0.9.2
Running hypervisor: QEMU 0.15.0

Does anyone have any clues? Thanks in advance!

Regards,

Reinier Schoof

-- 

TransIP BV | https://www.transip.nl/

More information about the libvir-list mailing list